deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into vs-win10gdproverview

Browse Source
This commit is contained in:
eross-msft 2017-09-05 15:42:10 -07:00
commit 2dcc4750b5
41 changed files with 2259 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -634,7 +634,6 @@ Alert sample:
<Item> <Item>
<Meta> <Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/AADUserToken</Type> <Type xmlns=”syncml:metinf”>com.microsoft/MDM/AADUserToken</Type>
<Format xmlns=”syncml:metinf”>chr</Format>
</Meta> </Meta>
<Data>UserToken inserted here</Data> <Data>UserToken inserted here</Data>
</Item> </Item>
@ -664,7 +663,6 @@ Here's an example.
<Item> <Item>
<Meta> <Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/LoginStatus</Type> <Type xmlns=”syncml:metinf”>com.microsoft/MDM/LoginStatus</Type>
<Format xmlns=”syncml:metinf”>chr</Format>
</Meta> </Meta>
<Data>user</Data> <Data>user</Data>
</Item> </Item>

1
windows/deployment/deploy.md
View File

@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 09/05/2017
author: greg-lindsay author: greg-lindsay
--- ---

1
windows/deployment/index.md
View File

@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 09/05/2017
author: greg-lindsay author: greg-lindsay
--- ---

1
windows/deployment/mbr-to-gpt.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: deploy ms.pagetype: deploy
author: greg-lindsay author: greg-lindsay
ms.date: 09/05/2017
ms.localizationpriority: high ms.localizationpriority: high
--- ---

39
windows/threat-protection/TOC.md
View File

@ -71,6 +71,45 @@
#### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md) #### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md)
#### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md) #### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) #### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md)
#### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md)
##### Actor
###### [Get actor information](windows-defender-atp\get-actor-information-windows-defender-advanced-threat-protection.md)
###### [Get actor related alerts](windows-defender-atp\get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
##### Alerts
###### [Get alerts](windows-defender-atp\get-alerts-windows-defender-advanced-threat-protection.md)
###### [Get alert information by ID](windows-defender-atp\get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
###### [Get alert related actor information](windows-defender-atp\get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
###### [Get alert related domain information](windows-defender-atp\get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
###### [Get alert related file information](windows-defender-atp\get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
###### [Get alert related IP information](windows-defender-atp\get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
###### [Get alert related machine information](windows-defender-atp\get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
##### Domain
###### [Get domain related alerts](windows-defender-atp\get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
###### [Get domain related machines](windows-defender-atp\get-domain-related-machines-windows-defender-advanced-threat-protection.md)
###### [Get domain statistics](windows-defender-atp\get-domain-statistics-windows-defender-advanced-threat-protection.md)
###### [Is domain seen in organization](windows-defender-atp\is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
##### File
###### [Get file information](windows-defender-atp\get-file-information-windows-defender-advanced-threat-protection.md)
###### [Get file related alerts](windows-defender-atp\get-file-related-alerts-windows-defender-advanced-threat-protection.md)
###### [Get file related machines](windows-defender-atp\get-file-related-machines-windows-defender-advanced-threat-protection.md)
###### [Get file statistics](windows-defender-atp\get-file-statistics-windows-defender-advanced-threat-protection.md)
##### IP
###### [Get IP related alerts](windows-defender-atp\get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
###### [Get IP related machines](windows-defender-atp\get-ip-related-machines-windows-defender-advanced-threat-protection.md)
###### [Get IP statistics](windows-defender-atp\get-ip-statistics-windows-defender-advanced-threat-protection.md)
###### [Is IP seen in organization](windows-defender-atp\is-ip-seen-org-windows-defender-advanced-threat-protection.md)
##### Machines
###### [Find machine information by IP](windows-defender-atp\find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
###### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
###### [Get machine by ID](windows-defender-atp\get-machine-by-id-windows-defender-advanced-threat-protection.md)
###### [Get machine log on users](windows-defender-atp\get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
###### [Get machine related alerts](windows-defender-atp\get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
##### User
###### [Get alert related user information](windows-defender-atp\get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
###### [Get user information](windows-defender-atp\get-user-information-windows-defender-advanced-threat-protection.md)
###### [Get user related alerts](windows-defender-atp\get-user-related-alerts-windows-defender-advanced-threat-protection.md)
###### [Get user related machines](windows-defender-atp\get-user-related-machines-windows-defender-advanced-threat-protection.md)
### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) ### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md) ### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
#### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) #### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)

2
windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
View File

@ -1,5 +1,5 @@
--- ---
title: View the Windows Defender Advanced Threat Protection Security operations dashboard title: Windows Defender Advanced Threat Protection Security operations dashboard
description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts. description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts.
keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh

100
windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,100 @@
---
title: Use the Windows Defender Advanced Threat Protection exposed APIs
description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Use the Windows Defender ATP exposed APIs
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
In general, youll need to take the following steps to use the APIs:
- Create an app
- Get an access token
- Run queries on the graph API
### Before you begin
Before using the APIs, youll need to create an app that youll use to authenticate against the graph. Youll need to create a native app to use for the adhoc queries.
## Create an app
1. Log on to [Azure](https://portal.azure.com).
2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**.
![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
3. In the Create window, enter the following information then click **Create**.
![Image of Create application window](images/atp-azure-create.png)
- **Name:** WinATPGraph
- **Application type:** Native
- **Redirect URI:** `https://localhost`
4. Navigate and select the newly created application.
![Image of new app in Azure](images/atp-azure-atp-app.png)
5. Click **All settings** > **Required permissions** > **Add**.
![Image of All settings, then required permissions](images/atp-azure-required-permissions.png)
6. Click **Select an API** > **Microsoft Graph**, then click **Select**.
![Image of API access and API selection](images/atp-azure-api-access.png)
7. Click **Select permissions** and select **Sign in and read user profile** then click **Select**.
![Image of select permissions](images/atp-azure-select-permissions.png)
You can now use the code snippets in the following sections to query the API using the created app ID.
## Get an access token
1. Get the Client ID from the application you created.
2. Use the **Client ID**. For example:
```
private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
private const string resourceId = "https://graph.microsoft.com";
private const string clientId = "{YOUR CLIENT ID/APP ID HERE}";
private const string redirect = "https://localhost";
HttpClient client = new HttpClient();
AuthenticationContext auth = new AuthenticationContext(authority);
var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result;
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken);
```
## Query the graph
Once the bearer token is retrieved, you can easily invoke the graph APIs. For example:
```
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
// sample endpoint
string ep = @"https://graph.microsoft.com/{VERSION}/alerts?$top=5";
HttpResponseMessage response = client.GetAsync(ep).Result;
string resp = response.Content.ReadAsStringAsync().Result;
Console.WriteLine($"response for: {ep} \r\n {resp}");
```
## Related topics
- [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)

2
windows/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara ms.author: macapara
author: mjcaparas author: mjcaparas
ms.localizationpriority: high ms.localizationpriority: high
ms.date: 09/01.2017 ms.date: 09/05/2017
--- ---
# Find machine information by interal IP # Find machine information by interal IP

67
windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,67 @@
---
title: Get actor information API
description: Retrieves an actor information report.
keywords: apis, graph api, supported apis, get, actor, information
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get actor information
Retrieves an actor information report.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/actor/{id}/
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and actor exists - 200 OK.
If actor does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/actors/zinc
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Actors/$entity",
"id": "zinc",
"linkToReport": "link-to-pdf"
}
```

77
windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,77 @@
---
title: Get actor related alerts API
description: Retrieves all alerts related to a given actor.
keywords: apis, graph api, supported apis, get, actor, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get actor related alerts
Retrieves all alerts related to a given actor.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/actor/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert exists - 200 OK.
If actor does not exist or no related alerts - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/actors/zinc/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 3,
"value": [
{
"id": "636390437845006321_-1646055784",
"severity": "Medium",
"status": "Resolved",
"description": "Malware associated with ZINC has been detected.",
"recommendedAction": "1.\tContact your incident response team.",
"alertCreationTime": "2017-08-23T00:09:43.9057955Z",
"category": "Malware",
"title": "Malware associated with the activity group ZINC was discovered",
}
```

73
windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,73 @@
---
title: Get alert information by ID API
description: Retrieves an alert by its ID.
keywords: apis, graph api, supported apis, get, alert, information, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get alert information by ID
Retrieves an alert by its ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert exists - 200 OK.
If alert not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts/$entity",
"id": "636396039176847743_89954699",
"severity": "Informational",
"status": "New",
"description": "Readily available tools, such as commercial spyware, monitoring software, and hacking programs",
"recommendedAction": "Collect artifacts and determine scope.",
"alertCreationTime": "2017-08-29T11:45:17.5754165Z",
}
```

69
windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,69 @@
---
title: Get alert related actor information API
description: Retrieves the actor information related to the specific alert.
keywords: apis, graph api, supported apis, get, alert, actor, information, related
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get alert related actor information
Retrieves the actor information related to the specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/actor
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and actor exist - 200 OK.
If alert not found or actor not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/actor
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Actors/$entity",
"id": "zinc",
"linkToReport": "link-to-pdf"
}
```

71
windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,71 @@
---
title: Get alert related domain information
description: Retrieves all domains related to a specific alert.
keywords: apis, graph api, supported apis, get alert information, alert information, related domain
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get alert related domain information
Retrieves all domains related to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/domains
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and domain exist - 200 OK.
If alert not found or domain not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/domains
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Domains",
"value": [
{
"host": "www.example.com"
}
]
}
```

73
windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,73 @@
---
title: Get alert related files information
description: Retrieves all files related to a specific alert.
keywords: apis, graph api, supported apis, get alert information, alert information, related files
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get alert related files information
Retrieves all files related to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/files
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and files exist - 200 OK.
If alert not found or files not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/files
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Files",
"value": [
{
"sha1": "121c7060dada38275d7082a4b9dc62641b255c36",
"sha256": "c815e0abb8273ba4ea6ca92d430d9e4d065dbb52877a9ce6a8371e5881bd7a94",
"md5": "776c970dfd92397b3c7d74401c85cd40",
"globalPrevalence": null,
"globalFirstObserved": null,
}
```

73
windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,73 @@
---
title: Get alert related IP information
description: Retrieves all IPs related to a specific alert.
keywords: apis, graph api, supported apis, get alert information, alert information, related ip
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get alert related IP information
Retrieves all IPs related to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/ips
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and an IP exist - 200 OK.
If alert not found or IPs not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/ips
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Ips",
"value": [
{
"id": "104.80.104.128"
},
{
"id": "23.203.232.228
}
```

68
windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,68 @@
---
title: Get alert related machine information
description: Retrieves all machines related to a specific alert.
keywords: apis, graph api, supported apis, get alert information, alert information, related machine
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get alert related machine information
Retrieves all machines related to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/machine
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and machine exist - 200 OK.
If alert not found or machine not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/machine
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines/$entity",
"id": "207575116e44741d2b22b6a81429b3ca4fd34608",
"computerDnsName": "machine1-corp.contoso.com",
"firstSeen": "2015-12-01T11:31:53.7016691Z",
}
```

71
windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,71 @@
---
title: Get alert related user information
description: Retrieves the user associated to a specific alert.
keywords: apis, graph api, supported apis, get, alert, information, related, user
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get alert related user information
Retrieves the user associated to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/user
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and a user exists - 200 OK.
If alert not found or user not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/user
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users/$entity",
"id": "UserPII_487a7e2aa8b0a24e429b0be88e5cf5e91be1a8f4\\DomainPII_aca88e6ed7dc68a69c35019ca947745f3858c868",
"accountSid": null,
"accountName": "DomainPII_aca88e6ed7dc68a69c35019ca947745f3858c868",
"accountDomainName": "UserPII_487a7e2aa8b0a24e429b0be88e5cf5e91be1a8f4",
}
```

75
windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,75 @@
---
title: Get alerts API
description: Retrieves top recent alerts.
keywords: apis, graph api, supported apis, get, alerts, recent
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get alerts
Retrieves top recent alerts.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alerts exists - 200 OK.
If no recent alerts found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 5000,
"@odata.nextLink": "https://graph.microsoft.com/testwdatppreview/alerts?$skip=5000",
"value": [
{
"id": "636396039176847743_89954699",
"severity": "Informational",
"status": "New",
"description": "Readily available tools, such as commercial spyware, monitoring software, and hacking programs",
"recommendedAction": "Collect artifacts and determine scope",
"alertCreationTime": "2017-08-29T11:45:17.5754165Z",
}
```

74
windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,74 @@
---
title: Get domain related alerts API
description: Retrieves a collection of alerts related to a given domain address.
keywords: apis, graph api, supported apis, get, domain, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get domain related alerts
Retrieves a collection of alerts related to a given domain address.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/domains/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and domain and alert exists - 200 OK.
If domain or alert does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/domains/{id}/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 9,
"value": [
{
"id": "636396023170943366_-36088267",
"severity": "Medium",
"status": "New",
"description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
"recommendedAction": "Update AV signatures and run a full scan.",
}
```

72
windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Get domain related machines API
description: Retrieves a collection of machines related to a given domain address.
keywords: apis, graph api, supported apis, get, domain, related, machines
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get domain related machines
Retrieves a collection of machines related to a given domain address.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/domains/{id}/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and domain and machine exists - 200 OK.
If domain or machines do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "0a3250e0693a109f1affc9217be9459028aa8426",
"computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
"firstSeen": "2017-07-05T08:21:00.0572159Z",
"osPlatform": "Windows10",
}
```

69
windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,69 @@
---
title: Get domain statistics API
description: Retrieves the prevalence for the given domain.
keywords: apis, graph api, supported apis, get, domain, domain related machines
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get domain statistics
Retrieves the prevalence for the given domain.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/domains/{id}/stats
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and domain exists - 200 OK.
If domain does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.graph.InOrgDomainStats",
"host": "example.com",
"orgPrevalence": "4070",
"orgFirstSeen": "2017-07-30T13:23:48Z",
"orgLastSeen": "2017-08-29T13:09:05Z"
}
```

70
windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,70 @@
---
title: Get file information API
description: Retrieves a file by identifier Sha1, Sha256, or MD5.
keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get file information
Retrieves a file by identifier Sha1, Sha256, or MD5.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/files/{id}/
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and file exists - 200 OK.
If file does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/files/{id}
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Files/$entity",
"sha1": "adae3732709d2178c8895c9be39c445b5e76d587",
"sha256": "34fcb083cd01b1bd89fc467fd3c2cd292de92f915a5cb43a36edaed39ce2689a",
"md5": "d387a06cd4bf5fcc1b50c3882f41a44e",
"globalPrevalence": 40790196,
}
```

74
windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,74 @@
---
title: Get file related alerts API
description: Retrieves a collection of alerts related to a given file hash.
keywords: apis, graph api, supported apis, get, file, hash
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get file related alerts
Retrieves a collection of alerts related to a given file hash.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/files/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and file and alert exists - 200 OK.
If file or alerts do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/files/{id}/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 9,
"value": [
{
"id": "636396023170943366_-36088267",
"severity": "Medium",
"status": "New",
"description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
"recommendedAction": "Update AV signatures and run a full scan.",
}
```

72
windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Get file related machines API
description: Retrieves a collection of machines related to a given file hash.
keywords: apis, graph api, supported apis, get, machines, hash
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get file related machines
Retrieves a collection of machines related to a given file hash.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/files/{id}/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and file and machines exists - 200 OK.
If file or machines do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "0a3250e0693a109f1affc9217be9459028aa8426",
"computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
"firstSeen": "2017-07-05T08:21:00.0572159Z",
"osPlatform": "Windows10",
}
```

73
windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,73 @@
---
title: Get file statistics API
description: Retrieves the prevalence for the given file.
keywords: apis, graph api, supported apis, get, file, statistics
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get file statistics
Retrieves the prevalence for the given file.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/files/{id}/stats
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and file exists - 200 OK.
If file do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
"sha1": "adae3732709d2178c8895c9be39c445b5e76d587",
"orgPrevalence": "106398",
"orgFirstSeen": "2017-07-30T13:29:50Z",
"orgLastSeen": "2017-08-29T13:29:31Z",
"topFileNames": [
"chrome.exe",
"old_chrome.exe"
]
}
```

74
windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,74 @@
---
title: Get IP related alerts API
description: Retrieves a collection of alerts related to a given IP address.
keywords: apis, graph api, supported apis, get, ip, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get IP related alerts
Retrieves a collection of alerts related to a given IP address.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/ips/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and IP and alert exists - 200 OK.
If IP and alerts do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/ips/{id}/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 9,
"value": [
{
"id": "636396023170943366_-36088267",
"severity": "Medium",
"status": "New",
"description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
"recommendedAction": "Update AV signatures and run a full scan.",
}
```

72
windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Get IP related machines API
description: Retrieves a collection of machines related to a given IP address.
keywords: apis, graph api, supported apis, get, ip, related, machines
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get IP related machines
Retrieves a collection of alerts related to a given IP address.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/ips/{id}/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and IP and machines exists - 200 OK.
If IP or machines do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "0a3250e0693a109f1affc9217be9459028aa8426",
"computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
"firstSeen": "2017-07-05T08:21:00.0572159Z",
"osPlatform": "Windows10",
}
```

69
windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,69 @@
---
title: Get IP statistics API
description: Retrieves the prevalence for the given IP.
keywords: apis, graph api, supported apis, get, ip, statistics, prevalence
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get IP statistics
Retrieves the prevalence for the given IP.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/ips/{id}/stats
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and IP and domain exists - 200 OK.
If domain does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
"ipAddress": "192.168.1.1",
"orgPrevalence": "63515",
"orgFirstSeen": "2017-07-30T13:36:06Z",
"orgLastSeen": "2017-08-29T13:32:59Z"
}
```

72
windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Get machine by ID API
description: Retrieves a machine entity by ID.
keywords: apis, graph api, supported apis, get, machines, entity, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get machine by ID
Retrieves a machine entity by ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines/{id}
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machine exists - 200 OK.
If no machine found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines/{id}
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines/$entity",
"id": "fadd8a46f4cc722a0391fdee82a7503b9591b3b9",
"computerDnsName": "",
"firstSeen": "2015-03-15T00:18:20.6588778Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
}
```

71
windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,71 @@
---
title: Get machine log on users API
description: Retrieves a collection of logged on users.
keywords: apis, graph api, supported apis, get, machine, log on, users
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get machine log on users
Retrieves a collection of logged on users.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines/{id}/logonusers
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machine and user exist - 200 OK.
If no machine found or no users found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines/{id}/logonusers
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users",
"value": [
{
"id": "m",
"accountSid": null,
"accountName": "",
"accountDomainName": "northamerica",
}
```

73
windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,73 @@
---
title: Get machine related alerts API
description: Retrieves a collection of alerts related to a given machine ID.
keywords: apis, graph api, supported apis, get, machines, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get machine related alerts
Retrieves a collection of alerts related to a given machine ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machine and alert exists - 200 OK.
If no machine or no alerts found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines/{id}/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 1,
"value": [
{
"id": "636396066728379047_-395412459",
"severity": "Medium",
"status": "New",
"description": "A reverse shell created from PowerShell was detected. A reverse shell allows an attacker to access the compromised machine without authenticating.",
}
```

76
windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,76 @@
---
title: Get machines API
description: Retrieves a collection of recently seen machines.
keywords: apis, graph api, supported apis, get, machines
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get machines
Retrieves a collection of recently seen machines.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machines exists - 200 OK.
If no recent machines - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"@odata.count": 5000,
"@odata.nextLink": "https://graph.microsoft.com/testwdatppreview/machines?$skip=5000",
"value": [
{
"id": "fadd8a46f4cc722a0391fdee82a7503b9591b3b9",
"computerDnsName": "",
"firstSeen": "2015-03-15T00:18:20.6588778Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
}
```

70
windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,70 @@
---
title: Get user information API
description: Retrieve a User entity by key such as user name or domain.
keywords: apis, graph api, supported apis, get, user, user information
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get user information
Retrieve a User entity by key (user name or domain\user).
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/users/{id}/
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and user exists - 200 OK.
If user does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/users/{id}
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users/$entity",
"id": "",
"accountSid": null,
"accountName": "",
"accountDomainName": "",
}
```

74
windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,74 @@
---
title: Get user related alerts API
description: Retrieves a collection of alerts related to a given user ID.
keywords: apis, graph api, supported apis, get, user, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get user related alerts
Retrieves a collection of alerts related to a given user ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/users/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and user and alert exists - 200 OK.
If user does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/users/{id}/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 9,
"value": [
{
"id": "636396023170943366_-36088267",
"severity": "Medium",
"status": "New",
"description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
"recommendedAction": "Update AV signatures and run a full scan.",
}
```

72
windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Get user related machines API
description: Retrieves a collection of machines related to a given user ID.
keywords: apis, graph api, supported apis, get, user, user related alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get user related machines
Retrieves a collection of machines related to a given user ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/users/{id}/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and user and machine exists - 200 OK.
If user or machine does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/users/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "0a3250e0693a109f1affc9217be9459028aa8426",
"computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
"firstSeen": "2017-07-05T08:21:00.0572159Z",
"osPlatform": "Windows10",
}
```

10
windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
View File

@ -24,16 +24,6 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)] [!include[Prerelease information](prerelease.md)]
# Investigate a user account in Windows Defender ATP
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
## Investigate user account entities ## Investigate user account entities
Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account. Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account.

66
windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,66 @@
---
title: Is domain seen in org API
description: Use this API to create calls related to checking whether a domain was seen in the organization.
keywords: apis, graph api, supported apis, domain, domain seen
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Is domain seen in org
Answers whether a domain was seen in the organization.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/domains/{id}/
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and domain exists - 200 OK.
If domain does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/domains/{id}
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Domains/$entity",
"host": "example.com"
}
```

66
windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,66 @@
---
title: Is IP seen in org API
description: Answers whether an IP was seen in the organization.
keywords: apis, graph api, supported apis, is, ip, seen, org, organization
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Is IP seen in org
Answers whether an IP was seen in the organization.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/ips/{id}/
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and IP exists - 200 OK.
If IP do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/ips/{id}
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Ips/$entity",
"id": "192.168.1.1"
}
```

38
windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,38 @@
---
title: Supported Windows Defender Advanced Threat Protection APIs
description: Learn about the specific supported Windows Defender Advanced Threat Protection entities where you can create API calls to.
keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Supported Windows Defender ATP APIs
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
## In this section
Topic | Description
:---|:---
Actor | Run API calls such as get actor information and get actor related alerts.
Alerts | Run API calls such as get alerts, alert information by ID, alert related actor information, alert related IP information, and alert related machine information.
Domain |Run API calls such as get domain related machines, domain related machines, statistics, and check if a domain is seen in your organization.
File | Run API calls such as get file information, file related alerts, file related machines, and file statistics.
IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization.
Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID.
User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines.

BIN
windows/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 17 KiB

After

Width:  |  Height:  |  Size: 17 KiB

2
windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
View File

@ -29,7 +29,7 @@ ms.date: 08/25/2017
- Enterprise security administrators - Enterprise security administrators
Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of the operating system and apps used by your employees. Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees.
There are four features in Windows Defender EG: There are four features in Windows Defender EG: